MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1204.002 Malicious Link
T1566.002 Spearphishing Attachment
The PDF contains a critical heuristic firing for a malicious redirector link, pointing to 'https://ttraff.cc/pify?keyword=airtel+tv+exe++for+pc'. Additionally, it exhibits a PDF link farm heuristic, with numerous external links, many hosted on Shopify. The document body, though heavily obfuscated, contains the same redirector URL and a benign-looking Shopify URL. The presence of a 'download button' heuristic further supports a lure-based attack pattern.
Heuristics 4
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTONDocument contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.cc/pify?keyword=airtel+tv+exe++for+pc
- http://sipevozu.aqeek.com/uploads/1/3/1/4/131452977/e9dca3336.pdf
- http://files.creativeislandphoto.com/uploads/1/3/0/9/130969525/gajavudukabafuvukos.pdf
- http://bulovukid.thegathering4coacheswives.com/uploads/1/3/2/3/132302780/5202613.pdf
- http://furidaw.cambridgegirlschoir.com/uploads/1/3/0/7/130739919/f304b2b.pdf
- https://cdn.shopify.com/s/files/1/0431/5113/0785/files/capites_de_areia_livro_completo_em.pdf
- https://cdn.shopify.com/s/files/1/0433/9000/9502/files/15554864835.pdf
- https://cdn.shopify.com/s/files/1/0431/8858/4605/files/31039558892.pdf
- https://cdn.shopify.com/s/files/1/0437/6051/7269/files/the_boy_in_the_striped_pyjamas_questions.pdf
- https://cdn.shopify.com/s/files/1/0429/9948/0473/files/45327085462.pdf
- https://cdn.shopify.com/s/files/1/0434/9070/5574/files/ganumewazixamawine.pdf
- https://cdn.shopify.com/s/files/1/0430/0845/8905/files/darkest_dungeon_android_port.pdf
- https://cdn.shopify.com/s/files/1/0431/7777/1164/files/82978054318.pdf
- https://cdn.shopify.com/s/files/1/0430/6275/5490/files/95369802068.pdf
- https://cdn.shopify.com/s/files/1/0437/3318/8762/files/xununifa.pdf
- https://cdn.shopify.com/s/files/1/0433/9879/1333/files/depejazilabopi.pdf
- https://cdn.shopify.com/s/files/1/0432/9196/7652/files/70450257914.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 3
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00006b59.bin7e71144b9c58839156a311e23e3816467dd8c5dce0a22addf53ccc93240e7b01 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x6B59 | 4420 bytes |
font_01_sfnt_off00007a76.bin2e916e3662e18f9eaf5399d5873609883b5e7151aabeef630e9fe6b1b18706ff |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7A76 | 10580 bytes |
font_02_sfnt_off00009ed3.bin1062cd8ddf90f4344fa193b395386d5669df1a952e5759311ca261a71931f361 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x9ED3 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.